Bui,
> Currently, we allocate a count-sized kernel buffer and copy count from > userspace to that buffer. Later, we use kstrtouint on this buffer but we > don't ensure that the string is terminated inside the buffer, this can > lead to OOB read when using kstrtouint. Fix this issue by using > memdup_user_nul instead of memdup_user. Applied to 6.10/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering
